Book Image

Windows Malware Analysis Essentials

By : Victor Marak
Book Image

Windows Malware Analysis Essentials

By: Victor Marak

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
Windows Malware Analysis Essentials
Victor Marak
Sep, 2015 | 330 pages
No titles found
Table of Contents (13 chapters)
Windows Malware Analysis Essentials
Windows Malware Analysis Essentials
Credits
Credits
About the Author
About the Author
Acknowledgments
Acknowledgments
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Down the Rabbit Hole
Down the Rabbit Hole
Number systems
Signed numbers and complements
Boolean logic and bit masks
Breathing in the ephemeral realm
Sharpening the scalpel
Performing binary reconnaissance
Exploring the universe of binaries on PE Explorer
Getting to know IDA Pro
Entropy
Summary
2
Dancing with the Dead
Dancing with the Dead
Motivation
Registers
The initiation ritual
Preparing the alter
Code constructs in x86 disassembly
Summary
3
Performing a Séance Session
Performing a Séance Session
Fortifying your debrief
Debriefing – seeing the forest for the trees
Preparing for D-Day – lab setup
Whippin' out your arsenal
Summoning the demon!
Post infection
Exorcism and the aftermath – debrief finale!
Summary
4
Traversing Across Parallel Dimensions
Traversing Across Parallel Dimensions
Compression sacks and straps
Alice in kernel land – kernel debugging with IDA Pro, Virtual KD, and VMware
Summary
5
Good versus Evil – Ogre Wars
Good versus Evil – Ogre Wars
Wiretapping Linux for network traffic analysis
Encoding/decoding – XOR Deobfuscation
Malicious Web Script Analysis
Byte code decompilers
Document analysis
Redline – malware memory forensics
Malware intelligence
Summary
Index
Index

Exploring the universe of binaries on PE Explorer

PE Explorer from Heaventools (Germany/Canada) is a well-featured toolkit for a static analysis of the following PE file format extensions in Windows—EXE, DLL, SYS, DRV, MSSTYLE, CPL, OCX, BPL, DPL, SCR, and FLT—and Windows CE binaries. The GUI is intuitive and not at all complicated. The approach here is that every aspect of a PE binary has its own separate view. The price tag of $129 offsets any perceived deficiencies as the disassembler is very capable and the exploded view provided of a PE file is second to none. However, there is no debugger and the code cannot be edited (you can use an external hex editor), so dynamic analysis is not an option, which in the right situation, maybe exactly what you need. The basic editing features are only provided for the header flags and timestamps.

The HEADERS INFO, DATA DIRECTORIES, and SECTION HEADERS toolbar items (the View menu) display each item in a tabular arrangement. In the figure, notice the value in the Real Image Checksum textbox and the Checksum field value in the right-most pane of 0x0002BC86. This is the link checksum value inserted by the linker; the real checksum is calculated during the load time of DLLs or system drivers by the Windows loader to check memory integrity. In general, any discrepancies result in discarding the particular instance.

When the Editor (Ctrl + Shift + P) button in the Characteristics column is clicked on, an edit dialog enumerates the flags for this field.

All the flag values are OR'ed (each value is different, so the binary patterns just fall in place with respect to their respective position in order to resemble a composite binary pattern) to get the final value in hexadecimals in order to communicate to the Windows loader of the required values in the binary header field. Some values are of special importance to us for malware analysis; 0x2000 signifies that the file is a dynamic link library (DLL), and conversely, 0x0002 signifies that the file is an executable (no unresolved external references), which is an EXE file in this instance. 0x1000 would signify that the file is a system file, such as a driver (.sys). The remaining flags are also important, and they convey the validity of the executable to Windows, such as memory usage of more than 2 GB and swap file usage if the file image is on removable media or the network, among others.

Export tables and import tables are described in a similar fashion. Integrated Quick Function Syntax Lookup is a great feature for both learning and investigating standard Windows APIs, instead of spending time with manual lookups. Authenticode Digital Signature Viewer is a feature to verify the authenticity of the publisher via a certificate-based digital signature. A very handy Resource Editor is also provided.

The disassembler (Ctrl + M, Tools | Disassembler) opens in its own window and overlaps the main interface, which can be toggled back anytime.

Name List to the right provides a list of labeled addresses (including conditional and unconditional branching destinations, function prologues, named data, and string references) by the disassembler, with the entry point clearly indicated. Labels can be renamed by pressing N (Edit | Rename Label).

The lower left tabs View 1, View 2, View 3, and View 4 (F6, F7, F8, and F9) provide persistent disassemble views that are independent of the main view and are swappable.

The Strings tab provides a list of detected strings; you can further manipulate strings detection by using the toolbar, using menu items (Edit | Mark as String/Pascal String/Long Pascal String/Unicode), or pressing S, A, L, or U to activate each of them.

Code can be manually marked in the assembly listing by pressing 'C.' Dwords and offsets can be marked by pressing D and O, respectively.

Comments can be entered by pressing ;.

The unprocessed data tab displays some blocks of data that do not have a reference to a procedure.

The main disassembly view is towards the top-left. A nice feature in this view is the provision for an immediate adjustment of the space between each assembly line (Ins and Del) and the number of opcodes per line (Shift + Ins and Shift + Del).

Navigation is really simple. Branching addresses can be navigated by selecting the relevant line and pressing Enter. For instructions with a second operand destination address, press Ctrl + Enter. Going back to a previous address requires pressing Esc, and to visit a particular address, you have press Ctrl + G and type the address in the hexadecimal format.

Subroutines that might have references can be listed in a pop-up window by selecting the starting address of the procedure and pressing R (Search | References). The list can then be traversed by double-clicking on each listed address.

Automatic unpacking is done for UPX, NSPACK, and WinUPack, and the file can be saved unpacked to the file system.

The disassembler options (View | Disassembler Options) provide with a list of instruction sets to disassemble for. The checked Auto Rescan option and Auto Rescan count value are fine at default values, but for complicated binaries, they may require more passes. The number of displayed opcodes can be set to a default value.

The Advanced tab provides for settings that are fine as default.

A dependency scanner (Ctrl + N) hierarchically lists out the external modules and library files that are requisite to a successful execution of the primary binary.

Previous Section
End of Section 8
Next Section